Fix NONE policy validation and 'routeback' for wildcard interfaces

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@786 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-11-08 02:38:30 +00:00
parent e147813da0
commit 80981e802e
4 changed files with 31 additions and 8 deletions

View File

@ -33,3 +33,8 @@ Changes since 1.4.7
14) Corrected handling of /32 addresses with broadcast in maclist 14) Corrected handling of /32 addresses with broadcast in maclist
processing. processing.
15) Generate error for NONE policy where source or destination zone is
the firewall itself.
16) Fix 'routeback' for wildcard interfaces.

View File

@ -636,11 +636,11 @@ validate_interfaces_file() {
all_interfaces="$all_interfaces $interface" all_interfaces="$all_interfaces $interface"
options=`separate_list $options` options=`separate_list $options`
interface=`chain_base $interface` iface=`chain_base $interface`
eval ${interface}_broadcast="$subnet" eval ${iface}_broadcast="$subnet"
eval ${interface}_zone="$z" eval ${iface}_zone="$z"
eval ${interface}_options=\"$options\" eval ${iface}_options=\"$options\"
for option in $options; do for option in $options; do
case $option in case $option in
@ -763,7 +763,14 @@ validate_policy()
esac esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE|NONE) ACCEPT|REJECT|DROP|CONTINUE)
;;
NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
[ -n "$clientwild" -o -n "$serverwild" ] && \
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
;; ;;
*) *)
startup_error "Invalid policy $policy" startup_error "Invalid policy $policy"
@ -781,8 +788,6 @@ validate_policy()
[ "x$loglevel" = "x-" ] && loglevel= [ "x$loglevel" = "x-" ] && loglevel=
chain=${client}2${server}
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes

View File

@ -43,7 +43,9 @@
# with this SOURCE and DEST in the # with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a # /etc/shorewall/rules file. If such a
# packet _is_ received, the result is # packet _is_ received, the result is
# undefined. # undefined. NONE may not be used if the
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
# #
# LOG LEVEL If supplied, each connection handled under the default # LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no # POLICY is logged at that level. If not supplied, no

View File

@ -59,6 +59,17 @@ Problems Corrected since version 1.4.7:
address with a broadcast address then an error would occur during address with a broadcast address then an error would occur during
startup. startup.
11) The NONE policy's intended use is to suppress the generating of
rules that can't possibly be traversed. This means that a policy of
NONE is inappropriate where the source or destination zone is
$FW. Shorewall now generates an error message if such a policy is
given in /etc/shorewall/policy. Previously such a policy caused
"shorewall start" to fail.
12) The 'routeback' option was broken for wildcard interfaces (e.g.,
"tun+"). This has been corrected so that 'routeback' now works as
expected in this case.
Migration Issues: Migration Issues:
1. The definition of the ROUTE_FILTER option in shorewall.conf has 1. The definition of the ROUTE_FILTER option in shorewall.conf has